Window smashed, data lost

May 12, 2004

David Lazarus

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/05/12/BUG8O6JPV71.DTL



A thief smashed the rear window of Larry Saltzman's Saab not long ago and stole his gym bag, a gold watch, credit cards, a few hundred dollars and the names, addresses and Social Security numbers of about 95,000 Bay Area residents.

At issue -- yet again -- is the question of whether people's personal information can ever be truly safe once it's handed to an outside contractor, as a local insurer did with Saltzman.

A series of thefts involving confidential data in recent months suggests that no matter how extensive a company's security measures may be, they can be easily undone by human error, negligence or random circumstances. Consumers, in turn, face the very real possibility of their personal info falling into the wrong hands.

"The more one's information is transferred, the higher the risk of fraud, " said Chris Hoofnagle, associate director of the Electronic Privacy Information Center, a Washington advocacy group.

The most recent incident involves the Alameda Alliance for Health, a nonprofit managed care plan that provides insurance for almost 100,000 low- income people in the East Bay. The insurer sent out letters to members earlier this month warning that their personal information had been stolen.

The letter contained few details. It said that the Alliance uses a contractor called Spotcheck to help process insurance payments and that, on March 31, Spotcheck experienced a security breach.

"A Spotcheck employee was transporting the backup hard drive to a bank for safe keeping," the letter said. "On the way, the car was broken into while parked, and the password-protected hard drive and employee's personal items were taken."

It said that neither the insurer nor Spotcheck has any reason to believe that members' data have been compromised.

What really happened, though, is less encouraging.

Verification of insurance

Spotcheck is run by a small, privately held Sacramento firm called Insurance Benefit Spot Check. It specializes in allowing doctors to quickly confirm whether a patient is insured.

Insurance providers turn over data to Spotcheck or allow the firm access to their records. Spotcheck can then rapidly confirm a patient's insurance status, thus freeing up a doctor's or hospital's administrative staff for other functions.

Spotcheck handles insurance eligibility requests for about 70 percent of all Californians, the firm says, as well as for millions of other consumers nationwide. Participating insurers include Blue Cross, Blue Shield, Cigna and HealthNet.

Saltzman, chief executive of Insurance Benefit Spot Check, told me that he was the employee cited in the Alliance's letter. "I had the hard drive in my car," he said. "I was driving to the bank, and I stopped at my accountant's office."

The hard drive was within a leather satchel -- a so-called man-bag -- also containing Saltzman's wallet, credit cards, watch and other personal effects. He left the satchel in his car, along with a bag containing his gym gear.

"In the 10 minutes I was away," Saltzman said, "somebody smashed the window and took everything."

He said he drives a different insurer's data to the bank every day. Or, Saltzman said, he might take an insurer's data home "to work on it."

On this particular day, it happened to be the names, addresses and Social Security numbers of every member of the Alliance that were sitting in his man- bag.

Alliance officials were aghast when Saltzman called with the bad news. "We were very upset," said Renee Shiota, the organization's chief operating officer. "This was our first-ever security breach."

She said the Alliance sends updated membership info to Spotcheck via the Internet every month. Hospitals had requested that the insurer use the system as a cost-cutting move, Shiota said.

"When we contract with any vendor for personal health information, we make sure they sign a high-level confidentiality agreement in accordance with federal and state privacy laws," she said.

Such agreements, however, clearly aren't foolproof. Wells Fargo learned this in November when a consultant's Concord office was broken into and a computer was stolen containing confidential data on thousands of bank customers.

And data doesn't have to be outsourced to be in danger. Merrill Lynch's Roseville branch near Sacramento was broken into in October, and a dozen computers were stolen containing clients' personal information.

More recently, a laptop containing the names, addresses and Social Security numbers of thousands of Wells Fargo mortgage customers was stolen in late February, when a pair of bank employees traveling in the Midwest stopped at a gas-station convenience store, leaving the keys in the ignition of their unlocked rental car.

Further hand-off

Spotcheck's Saltzman said he plans to start encrypting data entrusted to his firm, and, by the end of the month, to no longer deposit hard drives at the bank.

Instead, he said he'll electronically transmit all info to a professional data-storage company.

"That will make everything a lot safer," Saltzman said.

At the Alliance, Shiota was silent when I pointed out that her contractor's solution to the security breach is to subcontract with another firm, thereby removing the organization's data one step further from its source.

"What choice do we have?" she finally responded. "The hospitals want us to do this. I wish there were guarantees, but we can't say that something like this is never, ever going to happen again."


main page ATTRITION feedback